/**
* Inserts detected attacks into the database
*
* @param object
* @return boolean
*/
public function execute(IDS_Report $report_data)
{
global $wpdb, $current_user;
if (!$current_user) {
$user_id = 0;
} else {
$user_id = $current_user->ID;
}
if (!isset($_SERVER['REQUEST_URI'])) {
$_SERVER['REQUEST_URI'] = substr($_SERVER['PHP_SELF'], 1);
if (isset($_SERVER['QUERY_STRING']) && $_SERVER['QUERY_STRING']) {
$_SERVER['REQUEST_URI'] .= '?' . $_SERVER['QUERY_STRING'];
}
}
foreach ($report_data as $event) {
$data['name'] = $event->getName();
$data['value'] = stripslashes($event->getValue());
$data['page'] = isset($_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : '';
$data['tags'] = implode(', ', $event->getTags());
$data['ip'] = $this->ip;
$data['user_id'] = $user_id;
//hassan
$data['impact'] = $event->getImpact();
$data['total_impact'] = $report_data->getImpact();
//hassan
$data['origin'] = $_SERVER['SERVER_ADDR'];
$data['created'] = date('Y-m-d H:i:s', time());
if (false === $wpdb->insert($wpdb->hmwp_ms_intrusions, $data)) {
return false;
}
}
return true;
}
/**
* Inserts detected attacks into the database
*
* @param object
* @return boolean
*/
public function execute(IDS_Report $report_data)
{
global $wpdb, $current_user;
if (!$current_user) {
$user_id = 0;
} else {
$user_id = $current_user->ID;
}
if (!isset($_SERVER['REQUEST_URI'])) {
$_SERVER['REQUEST_URI'] = substr($_SERVER['PHP_SELF'], 1);
if (isset($_SERVER['QUERY_STRING']) && $_SERVER['QUERY_STRING']) {
$_SERVER['REQUEST_URI'] .= '?' . $_SERVER['QUERY_STRING'];
}
}
$allowed = array('a' => array('href' => array()), 'strong' => array());
foreach ($report_data as $event) {
$data['name'] = sanitize_text_field($event->getName());
$data['value'] = wp_kses($event->getValue(), $allowed);
$data['page'] = isset($_SERVER['REQUEST_URI']) ? wp_kses($_SERVER['REQUEST_URI'], $allowed) : '';
$data['tags'] = implode(', ', $event->getTags());
$data['ip'] = sanitize_text_field($this->ip);
$data['user_id'] = $user_id;
//hassan
$data['impact'] = $event->getImpact();
$data['total_impact'] = $report_data->getImpact();
//hassan
//$data['origin'] = sanitize_text_field($_SERVER['SERVER_ADDR']);
$c = countryCode($this->ip);
if (!$c) {
$c = '';
}
$data['origin'] = sanitize_text_field($c);
$data['created'] = date('Y-m-d H:i:s', time());
if (false === $wpdb->insert($wpdb->hmwp_ms_intrusions, $data)) {
return false;
}
}
return true;
}
/**
* Assembles the notification string
* @param int $impact Impact of the potential attack
* @param IDS_Report $result the result of PHPIDSs check
* @param string $level the level of the potential attack
* @return string the assembled notification
*/
private function getNotificationString($impact, IDS_Report $result, $level)
{
$retstr = "ZIDS detected a potential attack! ZIDS LEVEL: " . $level;
foreach ($this->_logitems as $item) {
switch ($item) {
case "ip":
$retstr .= " from IP: " . $_SERVER['REMOTE_ADDR'];
break;
case "impact":
$retstr .= " Impact: " . $impact;
break;
case "tags":
$retstr .= " Tags: " . implode(',', $result->getTags());
break;
case "variables":
$retstr .= " Variables: ";
foreach ($result->getIterator() as $event) {
$retstr .= $event->getName() . " (Tags: " . $event->getTags() . "; Value: " . $event->getValue() . "; Impact: " . $event->getImpact() . ") ";
}
break;
}
}
return $retstr;
}
/**
* Stores given data into the database
*
* @param object $data IDS_Report instance
*
* @throws Exception if db error occurred
* @return boolean
*/
public function execute(IDS_Report $data)
{
global $Output;
foreach ($data as $event) {
$page = isset($_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : '';
$ip = $this->ip;
//$this->statement->bindParam('name', $event->getName());
//$this->statement->bindParam('value', $event->getValue());
//$this->statement->bindParam('page', $page);
//$this->statement->bindParam('ip', $ip);
//$this->statement->bindParam('impact', $data->getImpact());
$Output = array('name' => $event->getName(), 'value' => $event->getValue(), 'page' => $page, 'ip' => $ip, 'impact' => $data->getImpact());
/*
if (!$this->statement->execute()) {
$info = $this->statement->errorInfo();
throw new Exception(
$this->statement->errorCode() . ', ' . $info[1] . ', ' . $info[2]
);
}
*/
}
return true;
}
/**
* Process results from IDS scan.
*
* @param IDS_Init $init PHPIDS init object reference.
* @param IDS_Report $result The result object from PHPIDS.
*
* @return void
*/
private function _processIdsResult(IDS_Init $init, IDS_Report $result)
{
// $result contains any suspicious fields enriched with additional info
// Note: it is moreover possible to dump this information by simply doing
//"echo $result", calling the IDS_Report::$this->__toString() method implicitely.
$requestImpact = $result->getImpact();
if ($requestImpact < 1) {
// nothing to do
return;
}
// update total session impact to track an attackers activity for some time
$sessionImpact = SessionUtil::getVar('idsImpact', 0) + $requestImpact;
SessionUtil::setVar('idsImpact', $sessionImpact);
// let's see which impact mode we are using
$idsImpactMode = System::getVar('idsimpactmode', 1);
$idsImpactFactor = 1;
if ($idsImpactMode == 1) {
$idsImpactFactor = 1;
} elseif ($idsImpactMode == 2) {
$idsImpactFactor = 10;
} elseif ($idsImpactMode == 3) {
$idsImpactFactor = 5;
}
// determine our impact threshold values
$impactThresholdOne = System::getVar('idsimpactthresholdone', 1) * $idsImpactFactor;
$impactThresholdTwo = System::getVar('idsimpactthresholdtwo', 10) * $idsImpactFactor;
$impactThresholdThree = System::getVar('idsimpactthresholdthree', 25) * $idsImpactFactor;
$impactThresholdFour = System::getVar('idsimpactthresholdfour', 75) * $idsImpactFactor;
$usedImpact = ($idsImpactMode == 1) ? $requestImpact : $sessionImpact;
// react according to given impact
if ($usedImpact > $impactThresholdOne) {
// db logging
// determine IP address of current user
$_REMOTE_ADDR = System::serverGetVar('REMOTE_ADDR');
$_HTTP_X_FORWARDED_FOR = System::serverGetVar('HTTP_X_FORWARDED_FOR');
$ipAddress = ($_HTTP_X_FORWARDED_FOR) ? $_HTTP_X_FORWARDED_FOR : $_REMOTE_ADDR;
$currentPage = System::getCurrentUri();
$currentUid = UserUtil::getVar('uid');
$intrusionItems = array();
foreach ($result as $event) {
$eventName = $event->getName();
$malVar = explode(".", $eventName, 2);
$filters = array();
foreach ($event as $filter) {
array_push($filters, array(
'id' => $filter->getId(),
'description' => $filter->getDescription(),
'impact' => $filter->getImpact(),
'tags' => $filter->getTags(),
'rule' => $filter->getRule()));
}
$tagVal = $malVar[1];
$newIntrusionItem = array(
'name' => array($eventName),
'tag' => $tagVal,
'value' => $event->getValue(),
'page' => $currentPage,
'uid' => $currentUid,
'ip' => $ipAddress,
'impact' => $result->getImpact(),
'filters' => serialize($filters),
'date' => DateUtil::getDatetime()
);
if (array_key_exists($tagVal, $intrusionItems)) {
$intrusionItems[$tagVal]['name'][] = $newIntrusionItem['name'][0];
} else {
$intrusionItems[$tagVal] = $newIntrusionItem;
}
}
// log details to database
foreach ($intrusionItems as $tag => $intrusionItem) {
$intrusionItem['name'] = implode(", ", $intrusionItem['name']);
// create new ZIntrusion instance
$obj = new SecurityCenter_DBObject_Intrusion();
// set data
$obj->setData($intrusionItem);
// save object to db
$obj->save();
}
}
if (System::getVar('idsmail') && ($usedImpact > $impactThresholdTwo)) {
// mail admin
// prepare mail text
$mailBody = __('The following attack has been detected by PHPIDS') . "\n\n";
$mailBody .= __f('IP: %s', $ipAddress) . "\n";
$mailBody .= __f('UserID: %s', $currentUid) . "\n";
$mailBody .= __f('Date: %s', DateUtil::strftime(__('%b %d, %Y'), (time()))) . "\n";
if ($idsImpactMode == 1) {
$mailBody .= __f('Request Impact: %d', $requestImpact) . "\n";
} else {
$mailBody .= __f('Session Impact: %d', $sessionImpact) . "\n";
}
$mailBody .= __f('Affected tags: %s', join(' ', $result->getTags())) . "\n";
$attackedParameters = '';
foreach ($result as $event) {
$attackedParameters .= $event->getName() . '=' . urlencode($event->getValue()) . ", ";
}
$mailBody .= __f('Affected parameters: %s', trim($attackedParameters)) . "\n";
$mailBody .= __f('Request URI: %s', urlencode($currentPage));
// prepare other mail arguments
$siteName = System::getVar('sitename');
$adminmail = System::getVar('adminmail');
$mailTitle = __('Intrusion attempt detected by PHPIDS');
if (ModUtil::available('Mailer')) {
$args = array();
$args['fromname'] = $siteName;
$args['fromaddress'] = $adminmail;
$args['toname'] = 'Site Administrator';
$args['toaddress'] = $adminmail;
$args['subject'] = $mailTitle;
$args['body'] = $mailBody;
$rc = ModUtil::apiFunc('Mailer', 'user', 'sendmessage', $args);
} else {
$headers = "From: $siteName <$adminmail>\n"
."X-Priority: 1 (Highest)";
System::mail($adminmail, $mailTitle, $mailBody, $headers);
}
}
if ($usedImpact > $impactThresholdThree) {
// block request
if (System::getVar('idssoftblock')) {
// warn only for debugging the ruleset
LogUtil::registerError(__('Malicious request code / a hacking attempt was detected. This request has NOT been blocked!'));
} else {
throw new Zikula_Exception_Forbidden(__('Malicious request code / a hacking attempt was detected. Thus this request has been blocked.'), null, $result);
}
}
return;
}
/**
* This function reacts on the values in the incoming results array.
*
* Depending on the impact value certain actions are
* performed.
*
* @param IDS_Report $result
*
* @return bool
*/
private function react(IDS_Report $result)
{
$impact = $result->getImpact();
if ($impact >= $this->threshold['kick']) {
$this->log($result, 3, $impact);
$this->kick();
return TRUE;
} elseif ($impact >= $this->threshold['warn']) {
$this->log($result, 2, $impact);
$this->warn($result);
return TRUE;
} elseif ($impact >= $this->threshold['log']) {
$this->log($result, 0, $impact);
return TRUE;
} else {
return TRUE;
}
}
public function assertImpact(IDS_Report $result, $impact, $suhosinImpact)
{
if (extension_loaded('suhosin')) {
$this->assertSame($suhosinImpact, $result->getImpact());
} else {
$this->assertSame($impact, $result->getImpact());
}
}
/**
* This function rects on the values in
* the incoming results array.
*
* Depending on the impact value certain actions are
* performed.
*
* @param IDS_Report $result
* @return boolean
*/
private function react(IDS_Report $result)
{
$new = $this->controller->Session->read('IDS.Impact') + $result->getImpact();
$this->controller->Session->write('IDS.Impact', $new);
$impact = $this->controller->Session->read('IDS.Impact');
if ($impact >= $this->threshold['kick']) {
$this->idslog($result, 3, $impact);
$this->idsmail($result);
$this->idskick($result);
return true;
} else {
if ($impact >= $this->threshold['warn']) {
$this->idslog($result, 2, $impact);
$this->idsmail($result);
$this->idswarn($result);
return true;
} else {
if ($impact >= $this->threshold['mail']) {
$this->idslog($result, 1, $impact);
$this->idsmail($result);
return true;
} else {
if ($impact >= $this->threshold['log']) {
$this->idslog($result, 0, $impact);
return true;
} else {
return true;
}
}
}
}
}
/**
* Assembles the HTML notification string for the email plugin
* @param int $impact Impact of the potential attack
* @param IDS_Report $result the result of PHPIDSs check
* @param string $level the level of the potential attack
* @param array $options options usually defined in application.ini
* @return string the assembled notification
*/
private function assembleEmailText($impact, IDS_Report $result, $level, $options)
{
$retstr = "[HUKUMONLINE] detected a potential attack! @LEVEL: " . $level . "<br><br>";
// parse email items parameters
$items = explode(',', isset($options['items']) ? $options['items'] : 'ip, impact, tags, variables');
array_walk($items, create_function('&$arr', '$arr=trim($arr);'));
foreach ($items as $item) {
switch ($item) {
case "ip":
$retstr .= " from IP: " . $_SERVER['REMOTE_ADDR'] . '<br>';
break;
case "impact":
$retstr .= " Impact: " . $impact . '<br>';
break;
case "tags":
$retstr .= " Tags: " . implode(',', $result->getTags()) . '<br>';
break;
case "variables":
$retstr .= " Variables: ";
foreach ($result->getIterator() as $event) {
$retstr .= $event->getName() . " (Tags: " . $event->getTags() . "; Value: " . $event->getValue() . "; Impact: " . $event->getImpact() . ")<br>";
}
break;
}
}
return $retstr;
}
public function testEmpty()
{
$this->assertFalse($this->report->isEmpty());
$report = new IDS_Report();
$this->assertTrue($report->isEmpty());
}
/**
* Stores given data into the database
*
* @param object $data IDS_Report instance
*
* @throws Exception if db error occurred
* @return boolean
*/
public function execute(IDS_Report $data)
{
if (!isset($_SERVER['REQUEST_URI'])) {
$_SERVER['REQUEST_URI'] = substr($_SERVER['PHP_SELF'], 1);
if (isset($_SERVER['QUERY_STRING']) && $_SERVER['QUERY_STRING']) {
$_SERVER['REQUEST_URI'] .= '?' . $_SERVER['QUERY_STRING'];
}
}
foreach ($data as $event) {
$page = isset($_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : '';
$ip = $this->ip;
$this->statement->bindParam('name', $event->getName());
$this->statement->bindParam('value', $event->getValue());
$this->statement->bindParam('page', $page);
$this->statement->bindParam('ip', $ip);
$this->statement->bindParam('impact', $data->getImpact());
$this->statement->bindParam('origin', $_SERVER['SERVER_ADDR']);
if (!$this->statement->execute()) {
$info = $this->statement->errorInfo();
throw new Exception($this->statement->errorCode() . ', ' . $info[1] . ', ' . $info[2]);
}
}
return true;
}
